Exploiting Silence: 0-Click System Crashes via UDP in Windows Deployment Services
A newly uncovered vulnerability in Microsoft’s Windows Deployment Services (WDS) exposes enterprise systems to a severe zero-click denial-of-service (DoS) attack that can be executed remotely—without authentication or user interaction.
The flaw targets the UDP-based TFTP service running on port 69, which is central to WDS’s PXE boot functionality used for deploying operating systems over the network. Exploiting this weakness, an attacker can crash a vulnerable server in minutes, posing a serious risk to organizations relying on WDS for streamlined operating system rollouts.
How the Vulnerability Works
Discovered by security researcher Zhiniang Peng, the vulnerability stems from how WDS handles incoming TFTP (Trivial File Transfer Protocol) sessions. When a connection request is received, WDS creates a CTftpSession
object via the function wdstftp!CClientContext::OnConnectionRequest
. However, there’s a fundamental flaw: no limits are enforced on the number of sessions the server can spawn.
By sending a flood of spoofed UDP packets with randomized source IPs and ports, attackers can rapidly exhaust system memory. UDP, being connectionless, does not validate packet origins, making it trivial to fake traffic. This allows an attacker to create thousands of phantom sessions without ever being traced or authenticated.
“The core issue is that
EndpointSessionMapEntry
imposes no limit on the number of sessions. Consequently, an attacker can forge fake client IP addresses and port numbers, repeatedly creating new sessions until system resources are exhausted,” Peng explains.
Proof-of-Concept: From Packet Flood to Server Crash in Minutes
In a test environment running Windows Server Insider Preview with 8GB RAM, Peng demonstrated that the attack could consume 15GB of memory in just 7 minutes, ultimately crashing the server.
The technique requires only a basic Linux environment and a script to generate spoofed UDP packets—no advanced skills or access rights are needed. According to Peng, leveraging multithreading would further accelerate the impact.
Why This Matters
Windows Deployment Services is widely used across corporate networks, data centers, and educational institutions for remote OS installations. A successful exploit could paralyze an entire PXE infrastructure, preventing devices from booting and disrupting IT operations at scale.
The stealthy nature of the attack—no authentication, no interaction, and difficult packet attribution—makes traditional defense mechanisms such as antivirus or endpoint protection ineffective.
No Patch from Microsoft — Yet
Despite the critical nature of this vulnerability, Microsoft has not released a patch. Peng warns that, even in the absence of remote code execution, the vulnerability remains a high-impact DoS flaw that can bring down key infrastructure remotely.
This isn’t the first WDS vulnerability to surface—CVE-2019-0603, a remote code execution flaw, was patched in March 2019. However, this new issue remains unaddressed, increasing the pressure on IT administrators to act.
What Can You Do?
Until Microsoft responds, mitigation options are limited. Organizations are advised to:
-
Restrict external access to UDP port 69 using firewalls or VLAN segmentation.
-
Consider disabling WDS TFTP services if not in use, or limit usage to isolated environments.
-
Explore alternative deployment methods, such as SCCM with HTTPS or modern endpoint management platforms.
-
Implement network-based rate-limiting where possible to slow down potential floods.
This vulnerability underscores the inherent risks in legacy, unauthenticated protocols like TFTP, especially in critical infrastructure like OS deployment systems. Organizations using WDS should immediately assess their exposure, implement network-level defenses, and prepare for possible disruption—especially since the attack vector is simple, effective, and currently unpatched.
Comments
Post a Comment